b'June 2005\nReport No. 05-019\n\n\nFDIC\xe2\x80\x99s New Financial Environment\n(NFE) Testing\n\n\n\n\n             AUDIT REPORT\n\x0c           `                                                                                        Report No. 05-019\n                                                                                                           June 2005\n\n                                   FDIC\xe2\x80\x99s New Financial Environment (NFE) Testing\n                                   Results of Audit\n\n                                   The FDIC has developed a rigorous multi-stage test strategy and schedule for the New\n                                   Financial Environment (NFE) to ensure it will function as designed and meet users\xe2\x80\x99\n Background and Purpose\n                                   needs. The FDIC reported that most test activities considered critical to final decisions\n of Audit                          had been completed before deployment of NFE core PeopleSoft financial modules on\n                                   May 2, 2005. However, KPMG found that improvements were needed in the various\n On December 10, 2001, the         testing phases of NFE, such as performing sufficient production simulation tests,\n FDIC\xe2\x80\x99s Board of Directors         providing evidence of verification for month- and year-end closings, ensuring adequate\n approved the purchase and         documentation for problem identification and resolution, and independently verifying\n implementation of a               the accuracy and completeness of tests performed for business processes. As a result,\n commercial-off-the-shelf          financial management system integrity and financial reporting risks may not have been\n solution to support an            mitigated to an acceptable level at the time KPMG completed its audit work.\n enterprise-wide financial\n environment for the FDIC. In      We provided details of the findings as they were identified to the Division of Finance\n October 2002, the FDIC            (DOF) and NFE project management team to facilitate timely corrective action and\n contracted with Accenture LLP     response where appropriate. Also, in order to facilitate corrective action, KPMG\n to assist the Corporation in      assigned a risk ranking for each condition found in system integration testing, quality\n replacing its financial systems   assurance testing, and user acceptance testing based on defined risk management\n with a PeopleSoft financials      assessment criteria for the NFE project.\n solution. Scheduled\n deployment of the New\n                                   Recommendation and Management Response\n Financial Environment (NFE)\n core financial system was to\n                                   We recommended that DOF and the NFE project management team review the risks\n originally occur on July 1,\n                                   identified and develop a risk resolution and action approach in accordance with the risk\n 2004. In June 2004, the Board\n                                   mitigation procedures outlined in the NFE risk management plan.\n approved the business case to\n re-baseline the NFE project\n                                   FDIC management concurred with the recommendation and provided a risk assessment\n with an additional cost of $18\n                                   matrix that summarizes the risk resolution and action approach for the conditions\n million and to establish a\n                                   discussed in the report. Management also responded that sound management processes\n revised deployment date for\n                                   were instrumental in mitigating risks and its control framework afforded a high degree\n the core financial systems of\n                                   of confidence that a \xe2\x80\x9cgo live\xe2\x80\x9d decision was appropriate under the circumstances.\n mid 2005. The NFE Principals\n                                   Management\xe2\x80\x99s corrective actions effectively addressed our findings and\n and the NFE Steering\n                                   recommendation, which is considered closed.\n Committee are responsible for\n overseeing NFE project\n activities.\n\n The audit objective was to\n determine the adequacy of the\n NFE test processes and the\n defect and change management\n processes in resolving\n problems identified during\n NFE testing. The report was\n prepared by KPMG LLP under\n a contract with the OIG to\n provide professional audit\n services.\n\nTo view the full report, go to\nwww.fdicig.gov/2005reports.asp     V-Model of Multi-stage Testing\n                                   Source: DOF Corporate Applications Testing Strategy, Version 2, 3/15/2004.\n\x0cFederal Deposit Insurance Corporation                                                                Office of Audits\n801 17th Street NW, Washington, DC 20434                                                Office of Inspector General\n\n\n\n\nDATE:                                  June 6, 2005\n\nMEMORANDUM TO:                         Fred S. Selby\n                                       Director, Division of Finance\n\n\n\nFROM:                                  Russell A. Rau [Electronically produced version; original signed by Stephen M. Beard]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               The FDIC\xe2\x80\x99s New Financial Environment (NFE) Testing\n                                       (Report No. 05-019)\n\nEnclosed is a copy of the subject report prepared by KPMG LLP under a contract with the Office\nof Inspector General (OIG). Please refer to the Executive Summary for the overall audit results.\nThe firm\xe2\x80\x99s report is presented as Part I of this document.\n\nThe report concludes that the FDIC had developed a rigorous multi-stage test strategy and\nschedule for the NFE to ensure it would function as designed and meet users\xe2\x80\x99 needs. However,\nthe report includes a recommendation that the Division of Finance and the NFE project\nmanagement team review and develop a risk resolution approach for risks that may not have\nbeen mitigated to an acceptable level where aspects of testing needed improvement.\n\nA summary and our evaluation of your response, the response in its entirety, and the status of the\nrecommendation are contained in Part II of this report. The response adequately addressed the\nrecommendation in the report. We consider the recommendation to be resolved, dispositioned,\nand closed as the agreed-upon corrective action has been implemented and determined to be\neffective.\n\x0c                                Table of Contents\n\n\n\nPart I:\n\n   Report by KPMG LLP\n   The FDIC\xe2\x80\x99s New Financial Environment (NFE) Testing   I-1\n\n\nPart II:\n   Corporation Comments and OIG Evaluation              II-1\n   Corporation Comments                                 II-2\n   Management Response to Recommendation                II-9\n\x0cFDIC\xe2\x80\x99s New Financial Environment (NFE) Testing\n\n\n              Prepared for the\n    Federal Deposit Insurance Corporation\n         Office of Inspector General\n\x0c      Part I\n\nReport by KPMG LLP\n\x0c                              TABLE OF CONTENTS\n\nI.     EXECUTIVE SUMMARY                                                       3\n\nResults of Audit                                                               3\n\nRecommendation                                                                 5\n\nII.    BACKGROUND                                                              5\n\nProject Scope                                                                  6\n\nProject Test Strategy and Results                                              7\n\nManaging Test Activities                                                       8\n\nIII.   DETAILED FINDINGS                                                       8\n\nFinding 1: Production Simulation Tests Needed                                  8\n\nFinding 2: Effectiveness of Accounting Verifications for Month- and Year-End\nClosings                                                                       9\n\nFinding 3: Defect Consolidation, Traceability, and Documentation               11\n\nFinding 4: Effectiveness of Test Activities Performed                          12\n\nAPPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY                                  15\n\nAPPENDIX B: APPLICABLE STANDARDS AND GUIDANCE                                  17\n\nAPPENDIX C: NFE TEST STRATEGY AND PROCESSES                                    21\n\nAPPENDIX D: RISK ASSESSMENT APPROACH                                           26\n\nAPPENDIX E: ACRONYMS                                                           29\n\nTABLE:\nSummary of Findings                                                                4\n\nFIGURES\nFigure 1: V-Model                                                              21\nFigure 2: Risk Assessment Matrix                                               27\n\n\n\n\n                                            I-2\n\x0cI.     Executive Summary\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG)\ncontracted with KPMG LLP to provide professional audit services. A task order issued\nunder the contract called for KPMG to audit and report on the effectiveness of the FDIC\xe2\x80\x99s\nNew Financial Environment (NFE) system development test activities. This audit is one\nin a series of OIG audits of the FDIC\xe2\x80\x99s system development initiatives on the NFE\nproject.\n\nThe objective of the audit was to determine the adequacy of the NFE test processes and\nthe defect and change management processes in resolving problems identified during\ntesting. Our audit addressed Systems Integration Testing (SIT), User Acceptance Testing\n(UAT), and Configuration and Quality Management Staff (CQMS) activities, which are\ndescribed in the Background section of this report. A detailed discussion of our audit\nobjective, scope, and methodology is provided in Appendix A of this report.\n\nKPMG evaluated test activities according to software verification and validation\nguidelines established by the National Institute of Standards and Technology (NIST), the\nCapability Maturity Model Integration (CMMI) for systems engineering, and Joint\nFinancial Management Improvement Program (JFMIP) for government financial systems,\nwhich are discussed in Appendix B. Additional guidelines considered in this review\ninclude those published by the Government Accountability Office (GAO) and the Office\nof Management and Budget (OMB) related to the implementation of the Federal Financial\nManagement Improvement Act (FFMIA). KPMG conducted its work in accordance with\ngenerally accepted government auditing standards from November 1, 2004 through\nMarch 8, 2005.\n\nResults of Audit\n\nThe FDIC had developed a rigorous multi-stage test strategy and schedule for NFE to\nensure it will function as designed and meet users\xe2\x80\x99 needs. The FDIC reported\nconsiderable progress in completing most test activities considered critical to final\ndecisions on the deployment of NFE core PeopleSoft financial modules scheduled for\nMay 2, 2005. However, KPMG found that improvements were needed in SIT, UAT, and\nCQMS activities. As a result, financial management system integrity and financial\nreporting risks may not have been mitigated to an acceptable level at the time KPMG\ncompleted its audit work.\n\nWe provided details of these findings as they were identified to the Division of Finance\n(DOF) and NFE project management team to facilitate timely corrective action and\nresponse where appropriate. Each finding is summarized in the table on the next page for\nthe test areas reviewed, and KPMG has assigned a risk ranking based on defined risk\nmanagement assessment criteria for the NFE project.\n\n\n\n\n                                           I-3\n\x0c    Summary of Findings\n                                                                      Test Activity                                  Riska\nFinding                Condition                   Systems           Configuration       User             High      Medium        Low\n                                                   Integration       Quality             Acceptance\n                                                   Testing           Management          Testing\n                                                                     Staff\n1         Inadequate user training.                                                            \xe2\x88\x9a             \xe2\x88\x9a\n          Inadequate chart of accountb tests.                                                  \xe2\x88\x9a             \xe2\x88\x9a\n          Business processes were not\n          tested sequentially from start to                                                    \xe2\x88\x9a             \xe2\x88\x9a\n          finish without interruption.\n          UAT did not include all\n                                                                                               \xe2\x88\x9a             \xe2\x88\x9a\n          production simulation testing.\n2         Documented evidence did not\n          exist for accounting-based\n          verifications performed for                     \xe2\x88\x9a                                                              \xe2\x88\x9a\n          month- and year-end closings\n          during SIT.\n          UAT month and year-end tests\n          planned do not provide\n                                                                                               \xe2\x88\x9a             \xe2\x88\x9a\n          requirements for accounting\n          verifications and reconciliations.\n          Scripts for identifying or\n          researching un-posted\n                                                          \xe2\x88\x9a                                                              \xe2\x88\x9a\n          transactions and posting errors\n          were omitted.\n          CQMS did not perform an\n          independent review of the month-                                  \xe2\x88\x9a                                            \xe2\x88\x9a\n          end and year-end test processes.\n          Independent test activities\n          excluded UAT validation                                                                                        \xe2\x88\x9a\n          activities.\n3         A centralized and controlled\n          defect tracking system has not                  \xe2\x88\x9a                                    \xe2\x88\x9a                         \xe2\x88\x9a\n          been established.\n4         UAT documentation is not\n          effectively organized to\n          independently verify the accuracy\n                                                                                              \xe2\x88\x9a\n          and completeness of tests                                                                                                \xe2\x88\x9a\n          performed for NFE business\n          processes.\n          Test activities and scenarios were\n          missing from sampling test\n                                                                                               \xe2\x88\x9a                         \xe2\x88\x9a\n          scriptsc applicable to compliance\n          requirements of the FFMIA.\n          There are no plans at this time for\n          testing about 50-70 customized\n          Financial Management System                                                          \xe2\x88\x9a                         \xe2\x88\x9a\n          (FMS) reports currently generated\n          by the Walker General Ledger.d\n          a. See Appendix D for the risk management ranking criteria applied.\n          b. The Chart of Accounts is a listing of all the accounts in the general ledger; each account is accompanied by a\n          reference number. To set up a chart of accounts, the various accounts to be used by the business need to be defined.\n          c. A test script is a test designed for a specific business process activity. Part of this design includes applicable\n          scenarios representing methods for accomplishing a given activity.\n          d. The current financial management system is referred to as the Walker Interactive system.\n\n\n                                                                    I-4\n\x0cRecommendation\n\nKPMG recognized that many of the issues identified and previously reported to the FDIC\nmay have impacted NFE-scheduled implementation and deployment activities.\nTherefore, KPMG recommended that the Director, DOF, and the NFE project\nmanagement team review the risks identified and develop a risk resolution and action\napproach in accordance with the risk mitigation procedures outlined in the NFE risk\nmanagement plan.\n\nII.    Background\n\nOn December 10, 2001, the FDIC\xe2\x80\x99s Board of Directors approved the purchase and\nimplementation of a commercial-off-the-shelf (COTS) solution to support an\nenterprise-wide, integrated financial environment for the FDIC. The decision was based\non the need to modernize the FDIC\xe2\x80\x99s complex and aging legacy financial system. The\ncurrent financial management system, referred to as the Walker Interactive system, is\ncharacterized as a system with non-integrated components feeding into core financial\nmanagement system (FMS) functions that requires significant reconciliation activity.\nSubstantial manual processes and significant staff resources from the FDIC\xe2\x80\x99s DOF and\nDivisions of Insurance and Research and Resolutions and Receiverships (DRR) are\nneeded to achieve an unqualified opinion on the Corporation\xe2\x80\x99s financial statements.\nAdditionally, the current system\xe2\x80\x99s functionality is limited and may preclude\ninfrastructure upgrades.\n\nThe FDIC contracted with Accenture LLP (Accenture) in October 2002 to assist the\nCorporation in replacing its financial systems with a PeopleSoft financials solution, a\nCOTS product. DOF and the Division of Information Technology (DIT) jointly managed\nthe project. The NFE project involves less than a 5-percent customization of the\nPeopleSoft financial modules. The FDIC considers the re-engineering of its business\npractices to be a critical factor in achieving the expected benefits of the NFE in terms of\nstreamlining business processes and avoiding the high-maintenance costs associated with\nsoftware customization. The implementation of the core financial system was originally\nscheduled to occur on July 1, 2004. In June 2004, the Board approved the business case\nto re-baseline the NFE project with a revised implementation schedule and $18 million in\nadditional funding to support the project costs associated with evaluation of the new system\nand changing business processes, renovation of legacy systems, new security and quality\nassurance mandates, and a contingency fund. Under the revised schedule, the core\nfinancial system was scheduled for implementation on May 2, 2005. The Budget\nFormulation/Receivership Service Billing/Enterprise Warehouse component and the cost\nmanagement component were planned for implementation on July 1 and September 1,\n2005, respectively.\n\nThe NFE Principals and the NFE Steering Committee are responsible for overseeing NFE\nproject activities. The NFE Principals group is composed of the Chief Financial Officer\n(CFO) and the directors of the divisions most impacted by NFE implementation (DOF,\nDIT, DRR, and the Division of Administration (DOA)). The Steering Committee\nprovides direct oversight and includes senior management representatives from DIT,\nDRR, DOA, the Division of Supervision and Consumer Protection (DSC), and the Office\n\n                                             I-5\n\x0cof Enterprise Risk Management (OERM). The NFE project management team is\nresponsible for providing guidance and direction to all involved parties in these activities,\nincluding the FDIC test coordinators, legacy and core test managers, FDIC NFE team\nleads, Accenture test execution team, Accenture fix teams, and business area points of\ncontact.\n\nProject Scope\n\nThe current NFE project timeline for deployment is separated into three components.\nThe first component calls for the deployment of core PeopleSoft financial modules in\nMay 2005. This involves significant changes to FDIC business processes, including:\n\n\xe2\x80\xa2   Creating a new accounting structure to collect and track the required financial and\n    cost management data.\n\xe2\x80\xa2   Converting vendor registration and maintenance to the federal Central Contractor\n    Registry (CCR) System.\xe2\x88\x97\n\xe2\x80\xa2   Creating a central electronic repository for procurements and contracts.\n\xe2\x80\xa2   Automating the procurement card system.\n\xe2\x80\xa2   Increasing asset management functionality, including integration with purchase\n    orders and payable vouchers.\n\xe2\x80\xa2   Automating the capture of receipts and disbursement funds for more effective cash\n    management.\n\xe2\x80\xa2   Establishing automated workflow processes to simplify and streamline many paper-\n    based processes.\n\nAdditionally, 25 systems will integrate into the NFE core modules primarily for the\nGeneral Ledger, Accounts Payable, and Supplemental Payment System modules. The 25\nsystems include 23 legacy systems and 2 new systems related to employee time and\nattendance and legal information and case management. The NFE project management\nteam had identified the Payroll Bridge System (the \xe2\x80\x9ctranslator\xe2\x80\x9d of payroll processing\nresults from National Finance Center into the general ledger) and the Electronic Travel\nVoucher System (travel reimbursements) as two legacy systems for which it was critical\nthat they both be operational at the same time that NFE is deployed.\n\nThe deployment of the second component, Budget Formulation/Receivership Service\nBilling/Enterprise Warehouse, is targeted for July 1, 2005. The third component,\nthe Activity Based \xe2\x80\x9cCost\xe2\x80\x9d Management module, is scheduled to be deployed by\nSeptember 1, 2005.\n\n\n\n\n\xe2\x88\x97 The CCR is the primary vendor database for the federal government. The CCR collects, validates, stores,\nand disseminates data in support of agency acquisition missions. Both current and potential government\nvendors are required to register in CCR in order to do be awarded contracts by the government. Vendors\nare required to complete a one-time registration to provide basic information relevant to procurement and\nfinancial transactions. Vendors must update or renew their registration annually to maintain an active\nstatus.\n\n                                                   I-6\n\x0cProject Test Strategy and Results\n\nEffective test, defect handling, and change management processes provide a means of\nmitigating significant system integrity issues that could impact a system\xe2\x80\x99s future\noperational state. Test process activities should ensure that all aspects of the new system\nwill function correctly, meet users\xe2\x80\x99 needs, and work as intended in the system\xe2\x80\x99s\noperational environment. Federal standards and FDIC policy require the performance of\ntest verification and validation activities.\n\nThe FDIC had developed a rigorous multi-stage test strategy and schedule for NFE to\nensure that the system will function as designed and meet users\xe2\x80\x99 needs (see Appendix C\nfor a detailed description of test processes). Key components of this test strategy critical\nto final decisions on NFE deployment include SIT and UAT. Additionally, the FDIC had\nestablished independent quality assurance testing for NFE that is performed by the\nFDIC\xe2\x80\x99s CQMS.\n\xe2\x80\xa2   SIT ensures that all business functions perform as designed on an end-to-end basis\n    across the NFE applications and platforms. SIT verifies that the application modules\n    interact correctly within PeopleSoft financial modules, including all interfaces that\n    send or receive transactional data to/from the NFE. Guidelines for this testing are\n    based on the DOF Corporate Applications SIT Approach, dated June 10, 2004, and\n    the NFE SIT Test Plan for Interfaces, dated June 18, 2004.\n\n\xe2\x80\xa2   UAT is the final round of NFE testing. The purpose of UAT is to secure the\n    agreement of all business process owners that (1) the PeopleSoft modules, as modified\n    and configured, and (2) the impacted FDIC legacy application interfaces meet the\n    business owners\xe2\x80\x99 current stated business requirements when used in conjunction with\n    processes and procedures developed by the business owners and the NFE business\n    planning team. To accomplish these objectives, a three-pass testing strategy was\n    used; pass one began December 1, 2004, and pass three testing ended March 31, 2005.\n    On February 4, 2005, the FDIC reported that 14 of 16 NFE Phase I core business\n    process areas had entered into the first pass of UAT with 77 percent of all planned\n    scripts successfully completed.\n\nCQMS performed quality assurance test activities over a 3-week period starting on\nNovember 1, 2004. The scope of this review, as stated in the CQMS NFE Test Plan,\ndated September 22, 2004, was to verify the effectiveness of the SIT performed against\nNFE core financial modules and interfaces. Five of the 26 applications were tested on-\nline, and the rest of the applications were inspected. CQMS performed the five on-line\ntests on systems considered critical to NFE production, including the primary receivership\nand subsidiary financial reporting system, Dividend Processing System, corporate human\nresources systems, Electronic Travel Voucher processing system, and the FDIC Legal\nDivision\xe2\x80\x99s principal information system. For inspections, CQMS placed reliance on\nrequirements functionality reviews that occurred for each application during SIT.\n\n\n\n\n                                            I-7\n\x0cManaging Test Activities\n\nThe NFE project management team manages test activities using test plans and results\ndocumentation located in several data repositories. For example, NFE-related test\ndocumentation is located in the FDIC\xe2\x80\x99s Digital Library (FDL) and in an NFE project-\nspecific documentation tool, StarTeam. FDL is a corporate-wide documentation\nmanagement vehicle that publishes information throughout the FDIC. StarTeam,\ndesigned for exclusive use by the NFE team, contains documents that are intended to\nrepresent official software baseline configuration items. Upon completion of tests, signed\napprovals are required from the tester, FDIC NFE Team Lead, and Business Area\nRepresentative acknowledging that conditions tested work as designed.\n\nAdditionally, the NFE project also uses a data repository, referred to as TestDirector, to\nseparately track and record identified defects identified for a specific system and level of\ntesting. When a defect is determined to be a change in the baseline, a change request\nmust be completed and reviewed by the Change Control Board (CCB) for core NFE\nmodules for interface/legacy systems. Changes are made in accordance with a defined\nand documented change management process for NFE core and legacy system interfaces.\n\nIII.     Detailed Findings\n\nIn the course of performing the NFE audit, KPMG provided DOF and the NFE project team\nwith detailed findings regarding NFE test activities. The findings are summarized in this\nsection of the report.\n\nFinding 1: Production Simulation Tests Needed\n\nCondition:\n\nKPMG identified the following limitations during NFE UAT:\n\n\xe2\x80\xa2 users were not adequately trained,\n\xe2\x80\xa2 test scripts applied did not always test a representative number of chart of accounts\n  that would be processed in a normal operational environment,\n\xe2\x80\xa2 business processes were not tested sequentially from start to finish without\n  interruption as in a normal workflow process, and\n\xe2\x80\xa2 UAT does not include production simulation test activities.\n\nCause:\n\nTime and schedule constraints were a contributing factor to the level of training provided.\nAccording to NFE process leads for core NFE modules, the training documentation\nprovided detailed instructions related only to navigating through \xe2\x80\x9cvanilla\xe2\x80\x9d PeopleSoft\nmenus and screens without explaining: (1) the purpose of PeopleSoft menus and screens,\n(2) their applicability to new FDIC business processes in adapting to NFE, and\n(3) troubleshooting problems. Additionally, time and resource constraints driven by the\nimplementation schedule appear to have impacted the scope of tests employed, including\nnot allocating sufficient time for production-simulation testing prior to system\ndeployment. According to DOF and DIT officials involved in NFE project management\n\n                                             I-8\n\x0coversight, users were involved in planning and creating test scripts for systematic formal\nexecution in UAT, which lessens the need for additional levels of testing.\n\nCriteria:\n\nGuidance for Software Verification and Validation processes in NIST Special Publication\n500-234, Reference Information for the Software Verification and Validation Process,\nand the CMMI state that the major objectives are to (1) comprehensively analyze and test\nsoftware during development to determine that the software correctly performs its\nintended functions, (2) ensure that the software performs no unintended functions, and\n(3) provide information about software quality and reliability. Where possible, validation\nactivities should be accomplished within the production environment. Additionally,\nJFMIP financial system implementation guidance states that qualifications testing ensures\na certain level of compliance with government-wide requirements, but should be viewed\nas \xe2\x80\x9centry criteria.\xe2\x80\x9d Agencies should conduct supplemental testing to ensure that a\nfinancial management system meets their specific requirements and to ensure adequate\nsystem performance.\n\nEffect:\n\nUser training issues and gaps in testing coverage increased the possibility that NFE may\nnot function as intended in its operational environment and that users may not be able to\ncarry out the new business processes in NFE. Without production simulation testing,\nunanticipated results may not have been minimized to an appropriate level and may have\ncaused processing delays and incomplete or inaccurate data that affect financial\nmanagement reporting.\n\nLevel of Risk: High\n\nRecommendations Provided to the FDIC for Consideration (January 26, 2005):\n\xe2\x80\xa2 Improve user training documentation for UAT and deployment activities to explain,\n   where appropriate, the fields that should be completed; the fields\xe2\x80\x99 applicability to new\n   FDIC business processes in adapting to NFE; and how to troubleshoot problems.\n\xe2\x80\xa2 Perform unscripted user testing in the production environment to simulate \xe2\x80\x9cgo live.\xe2\x80\x9d\n   As a common practice, the FDIC should consider the following:\n   o Provide sufficient time prior to deployment to take corrective actions where\n       necessary.\n   o Independently execute a few days\xe2\x80\x99 transactions from the highest volume business\n       days in the past year, and follow the new business processes and procedures.\n\nFinding 2: Effectiveness of Accounting Verifications for Month- and Year-End\nClosings\n\nCondition:\nDocumented evidence did not exist for accounting-based verifications performed for\nmonth- and year-end closings during SIT. Consequently, KPMG could not determine\nfrom script plans or test results the validity of month- and year-end financial information\nreported from the tests. Based on our review of the UAT schedule and SIT results, Asset\n\n                                            I-9\n\x0cManagement was the only module for which reports were included as part of its month-\nend closing process and there was evidence of reconciliation processes. KPMG also\nnoted that scripts on identifying or researching un-posted transactions and posting errors\nwere omitted from SIT.\n\nIn reviewing plans for the next level of month- and year-end tests in UAT, KPMG noted\nthat the test plans for UAT were similar to those for SIT, with the exception that users\nwere responsible for performing the tests. However, the test plans did not include\nspecific instructions to perform accounting verifications and reconciliations. UAT is\nintended to be user-oriented; therefore, tests at this juncture should more closely resemble\nmonth- and year-end based procedures that users will actually perform. Additionally,\nCQMS stated in its Independent Test Plan for NFE that CQMS would not perform an\nindependent review of the month-end and year-end test processes. According to these\nofficials, this level of testing was outside the scope of system \xe2\x80\x9cintegration-based\xe2\x80\x9d\nrequirements testing activities to perform against NFE core financial modules and\ninterfaces.\n\nCause:\n\nThe NFE project team had not developed formal accounting-based reconciliation test\nplans for month- and year-end closings. Business process documents showed only how to\nnavigate through PeopleSoft system menus and screens. Draft user guide job aids and\nchecklists also did not address accounting verification and reconciliation procedures.\n\nCriteria:\n\nGAO and OMB guidelines for compliance with the FFMIA state that standards and\nprocedures should be established in maintaining financial system integrity. For month-\nand year-end closings, such standards and procedures would include user procedures for\nsystem performance data integrity validations, such as reconciliations between reports\nproduced and data sets within the system and the results of validity combination and\nbalance edits. GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government state\nthat internal controls and all transactions and other significant events need to be clearly\ndocumented and maintained and should be readily available for examination in the form\nof management directives, administrative policies, or operating manuals.\n\nAccording to CMMI guidelines, defined and documented user-oriented procedures, when\npart of a new integrated information system, are an essential component of the test\nprocess to demonstrate that the system fulfills its intended use when placed in its\noperational environment and meets user needs.\n\nEffect:\n\nWithout month-end and year-end test processes that fully incorporate accounting-based\nverifications and reconciliations, the FDIC may have lacked adequate assurance that\nfinancial information would be recorded accurately and completely in the general ledger.\nThis posed significant operational risks that may have negatively impacted NFE system\nintegrity and financial reporting capabilities in production.\n\n                                            I - 10\n\x0cLevel of Risk: High\n\n Recommendations Provided to the FDIC for Consideration (January 26, 2005):\n\xe2\x80\xa2  Fully define in business process documentation and UAT, the detailed accounting-\n   based verification and reconciliation procedures that are required.\n\xe2\x80\xa2 Simulate month-end closing by following accounting-based control and reconciliation\n   procedures to provide assurance that users would be able to process a month-end\n   closing completely and accurately in a timely manner.\n\xe2\x80\xa2 Perform separate year-end testing using a copy of the production database before\n   executing the actual 2005 year-end process in the production environment. This\n   database should include all the required patches and fixes for the year-end process.\n   Year-end testing should include closing for all modules.\n\xe2\x80\xa2 Document detailed accounting-based test results during UAT scheduled for month-\n   and year-end processing.\n\n\nFinding 3: Defect Consolidation, Traceability, and Documentation\n\nCondition:\n\nA centralized and controlled defect tracking system had not been established to ensure\ntraceability to adequate documentation for the purpose of managing problem\nidentification and resolution. In addition, test processes did not provide for two-way\ntraceability of defects from their test origin to change requests, when applicable, and did\nnot require that necessary documentation required for defect resolution be retained.\n\nCause:\n\nThe defect tracking tool, TestDirector, is a relatively new application development tool\ndeployed in the last 6 months. Project time and resource constraints may have precluded\nthe NFE project team from fully implementing TestDirector functionality. Additionally,\ndefects relating to each interface or legacy system were managed by different business\nprocess owners, and related documentation is maintained in separate locations. Also,\nNFE process leads lacked adequate guidance in referencing test information to defect logs\nand reports. Finally, change management procedures had not been adequately followed.\n\nCriteria:\n\nAccording to CMMI guidance, defect analyses should include assessing the impact of\ndefects, frequency of occurrence, similarity between defects, and the time and resources\nneeded to resolve the defects. Proper attention should be given to storage and retrieval\nprocedures so that data is available and accessible for analysis, possible reanalysis, or\ndocumentation purposes. Additionally, change requests should address failures and\ndefects in the work products in assessing the impact that the change in addressing the\ndefect will have on the work product, related work products, schedule, and cost.\n\nNFE change management guidance also states that changes to requirements made because\nof defects should trace directly to the applicable defect reports.\n\n\n\n                                                   I - 11\n\x0cEffect:\n\nRecurring defects were more difficult to identify, which may have impacted the ability to\ndetermine in a timely manner their priority and root cause and method for resolution.\nSoftware maintenance risks were also increased because of the inability to provide\nspecific test reference information in the defect logs. Moreover, tracing a change request\nto a defect was difficult.\n\nAdditionally, a decentralized management and documentation approach could result in\ninefficient retrieval or misplacement of important documentation. Delays in testing and\nduplicated effort could have occurred if the scripts had to be retested to obtain the\nnecessary information for sign-offs.\n\nLevel of Risk: Medium\n\nRecommendations Provided to FDIC for Consideration (February 17, 2005):\n\xe2\x80\xa2 Consolidate all the defects under one centralized repository to facilitate the tracking\n   and monitoring of recurring defects going forward.\n\xe2\x80\xa2 Emphasize two-way traceability of defects from their test origin to change request\n   documentation when applicable.\n\xe2\x80\xa2 Create a shared location to store UAT defect screen captures and test results instead of\n   depending on users\xe2\x80\x99 personal folders to improve documentation for defect problem\n   resolution.\n\n\nFinding 4: Effectiveness of Test Activities Performed\n\nCondition:\n\nNFE UAT documentation was not effectively organized to independently verify the\naccuracy and completeness of tests performed for NFE business processes and did not\nconsistently describe the relationship of a given test script to an NFE business process.\n\nTest activities and scenarios were missing from sampling scripts in SIT and UAT for\naccounts payable, purchasing, asset management, and the general ledger. The missing\nitems noted also appeared applicable to compliance requirements of the FFMIA. Most\nnotably, UAT did not include testing the expenditure budget control function for the\nReceivership Operations module, an essential requirement to achieve compliance with\nFFMIA.\n\nFinally, according to FDIC officials, there were no plans at this time for testing about 50-\n70 customized FMS reports currently generated by the Walker general ledger. Access to\nthis same information in NFE was distributed across different modules and a different\nchart of accounts. A strategy for obtaining these reports by priority level through NFE\nhad not been determined.\n\nCause:\n\nNFE business processes for test script development were not standardized and relied on\nthe ability of the test facilitators and testers to develop appropriate plans to capture\n                                            I - 12\n\x0cbusiness process activities and scenarios to test. NFE project officials stated that they did\nnot prescribe a formal structure so testers would have more leverage and flexibility in\ndeveloping test plans that would best fit their development and test needs. Users for each\nrespective area were involved in deciding which tests to perform for both SIT and UAT.\n\nWith respect to the budget control function testing, the FDIC budget process lead\nindicated that this testing would be performed during UAT re-tests of core financial\nmodules.\n\nCriteria:\n\nGAO and OMB guidance states that government financial management systems shall\nprovide assurance that transactions can be processed in accordance with FFMIA\nrequirements. These requirements are applicable to key FMS functions, including\naccounts payable, purchasing, disbursement, funds control, and general ledger processing.\nJFMIP guidance also states that agencies need to consider performing supplemental\ntesting beyond qualification tests performed to ensure financial management systems\nmeet government and organizational requirements.\n\nCMMI guidance on test validation practices states that UAT cases and procedures,\nincluding operational scenarios and procedures, are applicable validation procedures that\nwarrant consideration to determine whether a system will function as intended in its\noperational environment. Also, NIST test guidance states that test verification and\nvalidation processes should be comprehensive. GAO\xe2\x80\x99s Standards for Internal Control in\nthe Federal Government state that control activities such as tests of transactions for\nsystem deployment should be well documented, maintained, and readily available for\nexamination.\n\nEffect:\n\nIndependent verification of the effectiveness of business process activities tested and\nsoftware management oversight over those activities become cumbersome without a\nformal and consistently applied process that provides information on a given business\nprocess tested, activities to perform for that process, and related scenarios to test for each\nactivity.\n\nScenarios that were missing and untested may have impacted NFE system integrity in the\nproduction of accurate and complete financial management reports. Consequently,\nfinancial management and reporting risks may not have been mitigated to an acceptable\nlevel.\n\nIn summary, the issues cited could impact NFE technical performance expectations,\noperational capabilities, and users\xe2\x80\x99 ability to apply new business processes.\n\nLevel of Risk: Medium\n\nRecommendations Provided to FDIC for Consideration (February 16, 2005):\n\xe2\x80\xa2 Consider some level of production simulation testing for addressing missing test\n   scenarios and any unidentified problems not sampled.\n\n                                             I - 13\n\x0c\xe2\x80\xa2   Develop more structured test development processes for better software test\n    management and oversight of business process activities and scenarios to test.\n\xe2\x80\xa2   Provide for more effective test documentation retention and control practices.\n\xe2\x80\xa2   Elevate the priority of budget and commitment control testing to ensure that budget\n    control features are accurately and completely tested within the appropriate time\n    frame.\n\n\n\n\n                                           I - 14\n\x0cAPPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\nThe objective of this audit was to determine the adequacy of test plans and processes and\ndefect and change management processes in resolving problems identified during testing.\nKPMG conducted its work audit work in Washington, D.C., and Dallas, Texas, from\nNovember 1, 2004 through March 8, 2005 in accordance with generally accepted\ngovernment auditing standards.\n\nScope\nThe scope of coverage focused on test activities and processes critical to NFE\ndeployment, which included evaluating the following:\n\xe2\x80\xa2 Effectiveness of FDIC test activities policies and procedures applicable to NFE\n   deployment.\n\xe2\x80\xa2 Accuracy and completeness of selected NFE core module test activities that had been\n   performed.\n\xe2\x80\xa2 Test activities critical to final decisions on NFE\xe2\x80\x99s deployment schedule that included\n   SIT, UAT, and Independent Testing Performed by the CQMS.\n\xe2\x80\xa2 Test activities for three of eight selected NFE legacy interfaces considered critical to\n   deployment that included the Controls Total Module (CTM) as the primary\n   receivership and subsidiary financial reporting system, Electronic Travel Voucher\n   (ETV), and Dividend Process System (DPS).\n\xe2\x80\xa2 Effectiveness of the test and defect management resolution processes. We also tested\n   the effectiveness of the processes.\n\nMethodology\nKPMG performed the following in meeting audit objectives:\n\xe2\x80\xa2 Conducted interviews with DIT and DOF officials who were responsible for\n  managing and implementing the NFE project and with representatives from\n  Accenture LLP, the consulting firm hired by the FDIC to provide NFE\n  implementation services, including the performance of system development test\n  activities. To obtain an understanding of NFE test activities that had been performed,\n  including procedures and practices, KPMG also spoke with end users from several\n  divisions in the FDIC\xe2\x80\x99s Headquarters and Dallas office to determine the adequacy of\n  their involvement in test activities such as UAT.\n\xe2\x80\xa2 Identified applicable FDIC policies and procedures for performing NFE test activities.\n\xe2\x80\xa2 Performed gap analysis of FDIC policies and procedures for NFE test activities\n  against generally accepted system development test activities performed (see\n  Appendix B for applicable standards and guidelines).\n\xe2\x80\xa2 Sampled requirements for the NFE core systems and obtained related test plan and\n  results documentation that was used in assessing the nature and extent of NFE test\n  activities performed.\n\xe2\x80\xa2 Obtained and reviewed the test plan, results, and reconciliation process for CTM,\n  DPS, and ETV systems.\n\xe2\x80\xa2 Observed UAT activities to assess the effectiveness of test activities performed for\n  accounts payables, disbursements, purchase orders, and the general ledger.\n\n\n                                           I - 15\n\x0c                                                                           APPENDIX A\n\n\xe2\x80\xa2   Identified and reviewed monitoring and oversight activities over the test and defect\n    management resolution processes, including change management practices for\n    addressing requirement changes.\n\nKPMG also determined the risk levels for the NFE project where specific risks are likely\nto occur.\n\n\nPrior Audit Coverage\n\nPrior to this audit, the FDIC OIG issued the following reports related to the NFE.\n\n\xe2\x80\xa2   Audit Report No. 05-007 entitled, Management Controls Over the Re-baselined New\n    Financial Environment Project, dated February 18, 2005, which addressed whether\n    the FDIC had established adequate management control over the re-baselined NFE\n    project.\n\n\xe2\x80\xa2   Audit Report No. 03-045 entitled, New Financial Environment Scope Management\n    Controls, dated September 29, 2003, which addressed whether the FDIC had\n    implemented adequate controls for ensuring that the scope of the NFE project was\n    effectively managed.\n\n\xe2\x80\xa2   Audit Report No. 03-016 entitled, The New Financial Environment Project Control\n    Framework, dated March 5, 2003, which addressed whether the FDIC had established\n    a control framework for the NFE project.\n\n\xe2\x80\xa2   Audit Report No. 03-002 entitled, Preaward Review of the New Financial\n    Environment Project, dated October 7, 2002, which provided observations on selected\n    procedures and documents related to the NFE Request for Proposal.\n\n\xe2\x80\xa2   Evaluation Report No. 01-004 entitled, The New Financial Environment Project,\n    dated December 7, 2001, which assessed the reasonableness of the NFE cost-benefit\n    analysis and the financial systems architecture.\n\n\n\n\n                                            I - 16\n\x0cAPPENDIX B: APPLICABLE STANDARDS AND GUIDANCE\n\nThe references listed herein represent applicable standards and guidance at the time of the\nwriting of this document that were considered in the performance of KPMG\xe2\x80\x99s evaluation.\nSome of the references are statutes and regulatory sources, whose provisions may or may\nnot be binding on the FDIC; see individual references for further information. Statutory\nand regulatory sources that are not binding on the FDIC can provide statements of\nprudent business practices. The Internet sites and various references appearing below are\nsubject to change.\n\nFederal Statutes\n\nFederal Financial Management Improvement Act (FFMIA), Pub. L. 104-208, 1996.\nhttp://www.whitehouse.gov/omb/financial/ffs_ffmia.html\n\nThe statute requires agencies to implement and maintain financial management systems\nthat substantially comply with federal financial management system requirements. These\nrequirements are detailed in the Financial Management System Requirements series\nissued by the JFMIP and in OMB Circular A-127, Financial Management Systems, and\nOMB\xe2\x80\x99s Implementation Guidance for the Federal Financial Management Improvement\nAct (FFMIA) of 1996. The act does not apply to the FDIC, but its provisions and\nstandards contain prudent practices that the FDIC may choose to follow.\n\nSystems Development Life Cycle (SDLC) Standards and Guidance\n\nNIST Special Publication 500-234, Reference Information for the Software\nVerification and Validation Process, April 1996.\nhttp://hissa.nist.gov\n\nThe publication provides guidance for performing verification and validation activities to\ncomprehensively analyze and test software during development to determine that the\nsoftware performs its intended functions correctly, ensure that it performs no unintended\nfunctions, and provide information about its quality and reliability.\n\nCapability Maturity Model Integration (CMMI) for Systems Engineering, Software\nEngineering, Integrated Product and Process Development, and Supplier Sourcing,\nV1.1, March 2002.\nhttp://www.se.cmu.edu/cmmi\n\nThe publication provides process management guidance for SDLC projects to include\nbest practices in performing activities related to software risk management, verification\nand validation, change management, and defect management resolution.\n\n\n\n\n                                            I - 17\n\x0c                                                                          APPENDIX B\n\nFinancial Management System (FMS) Standards and Guidance\n\nOMB Circular No. A-127, Financial Management Systems, July 1993.\nhttp://www.whitehouse.gov/omb/circulars/a127/a127.html\n\nThe publication prescribes policies and standards for executive departments and agencies\nto follow in developing, operating, evaluating, and reporting on financial management\nsystems.\n\nJoint Financial Management Improvement Program (JFMIP), Forum Highlights:\nSystem Implementation Success Factors Using COTS Financial Systems, JFMIP\nSteering Committee and Chief Financial Officers\xe2\x80\x99 Council, June 2003.\nhttp://www.jfmip.gov/jfmip/otherreports.htm\n\nThe publication addresses critical success factors for successfully implementing COTS\nsoftware in discussions with senior federal financial managers, financial system program\nmanagers, and private sector leaders.\n\nOMB Memorandum for the Heads of Executive Departments and Establishments,\nChief Financial Officers, and Inspectors General \xe2\x80\x93 Revised Implementation\nGuidance for the Federal Financial Management Improvement Act, January 2001.\nhttp://www.whitehouse.gov/omb/financial/ffmia_implementation_guidance.pdf\n\nKey provisions applicable to NFE testing of key FMS functions include the following:\n\xe2\x80\xa2 FMS shall consistently process common transactions throughout the financial system\n   and shall consistently use and apply internal controls throughout the financial system.\n\xe2\x80\xa2 Assets shall be accounted for reliably so that they can be properly protected from loss,\n   misappropriation, or destruction\n\xe2\x80\xa2 Budget execution is integrated in the core financial system with accounts payable,\n   accounts receivable, and general ledger.\n\xe2\x80\xa2 Financial statements and other required financial and budget reports shall be prepared\n   using information generated by the FMS.\n\nU.S. GAO, Core Financial System Requirements, Checklist for Reviewing Systems\nUnder the Federal Financial Management Improvement Act, GAO/AIMD-00-21.2.2,\nFebruary 2000.\nhttp://www.gao.gov/special.pubs/ai2122.pdf\n\nThe publication addresses FFMIA system integrity control compliance requirements.\nAlthough the FDIC is not mandated to comply with FFMIA requirements, the FDIC\nintends to voluntarily comply with such standards. Provisions applicable to NFE testing\nwould include, for example, the following:\n\xe2\x80\xa2 System performance data integrity validations such as reconciliations between\n    produced reports and data sets within the system and the results of validity\n    combination and balancing edits.\n\n\n                                           I - 18\n\x0c                                                                           APPENDIX B\n\n\xe2\x80\xa2   Accurate and complete postings to the current and prior months concurrently until\n    month-end closing. Accurate and complete balances must be maintained and\n    accessible through on-line queries for both the current and prior fiscal years until\n    year-end closing.\n\xe2\x80\xa2   Adjustment of assets or expenses recorded with the liability if the authorized payment\n    (based on the invoice) is different from the amount accrued (based upon receipt and\n    acceptance) using contract information.\n\xe2\x80\xa2   Payment Management Function (Accounts Payable/Purchasing)\n    \xe2\x80\xa2 Provides the capability to capture, store, and process appropriate invoice\n        information in accordance with Department of the Treasury standards and, as\n        necessary, to satisfy requirements of the Prompt Payment Act.\n    \xe2\x80\xa2 Provides the capability of splitting an invoice into multiple payments on the\n        appropriate due dates when items on the invoice have different due dates.\n    \xe2\x80\xa2 Automatically updates funds control and budget execution balances.\n    \xe2\x80\xa2 Appropriately posts assets or expenses with the liability.\n\xe2\x80\xa2   Funds Control Process (Funds Availability Editing)\n    \xe2\x80\xa2 Provides for on-line notification of funds availability prior to the distribution of\n        lower-level funding and the processing of commitment, obligation, or expenditure\n        transactions.\n    \xe2\x80\xa2 Checks commitment transactions against available funds.\n    \xe2\x80\xa2 Includes adequate controls to prevent the recording of commitments that exceed\n        available balances.\n    \xe2\x80\xa2 Updates all appropriate accounts to ensure that the system always maintains and\n        reports the current status of funds for all open accounting periods.\n\nU.S. GAO, Standards for Internal Control in the Federal Government,\nNovember 1999.\nhttp://www.gao.gov/special.pubs/ai00021p.pdf\n\nThe publication defines the minimum level of quality acceptable for internal control in\ngovernment and provides the basis against which internal control is to be evaluated,\nincluding documenting all transactions and other significant events. Documentation\nshould be readily available for examination including documentation on a wide range of\ndiverse activities, such as approvals, authorizations, verifications, reconciliations,\nperformance reviews, maintenance of security, and the creation and maintenance of\nrelated records that provide evidence of execution of these activities. The FDIC is not\nmandated to but chooses to follow these practices.\n\nFDIC/NFE Specific SDLC Standards and Guidance\n\nThe FDIC has issued several policies and procedures in managing NFE test activities,\nincluding changes to requirements that can be viewed within the FDIC\xe2\x80\x99s Digital Intranet\nLibrary:\n\xe2\x80\xa2 DOF Corporate Applications Testing Strategy, version 2 (3/15/2004)\n\xe2\x80\xa2 DOF Corporate Applications SQT [system qualification test] Approach, version 4\n    (6/10/2004)\n\n                                           I - 19\n\x0c                                                                     APPENDIX B\n\n\xe2\x80\xa2   DOF Corporate Applications SIT Approach, version 3 (6/10/2004)\n\xe2\x80\xa2   NFE User Acceptance Test Plan, version 2.0 (08/30/2004)\n\xe2\x80\xa2   NFE SIT Test Plan, version 1.5 (06/18/2004)\n\xe2\x80\xa2   Independent Test Plan for NFE, version 2.0 (09/22/2004)\n\xe2\x80\xa2   NFEi Change Control Process\n\n\n\n\n                                        I - 20\n\x0cAPPENDIX C: NFE TEST STRATEGY AND PROCESSES\n\nThe FDIC is replacing the existing Walker Interactive system with PeopleSoft financial\nsoftware. The implementation of the NFE will necessitate the retirement and\nmodification of interconnecting DOF corporate applications. To promote consistency in\ntesting for a quality product, the FDIC developed, defined, and documented testing\nprocesses for implementing NFE. The strategies, tools, and processes defined for this\neffort are described in this appendix.\n\nTesting Overview\n\nTesting is an essential part of the SDLC and a critical means for reducing software\ndelivery risks. Testing is a structured way of validating that business and performance\nrequirements, and use case specifications are properly implemented in a solution that\nmeets a customer\xe2\x80\x99s functional, technical, operational, and maintenance expectations.\n\nDOF testing for NFE has been divided into seven distinct stages. Each stage tests a\nbroader level of functional and technical complexity than the previous stage.\nAccordingly, test conditions in each successive stage of testing are derived from\nsuccessively higher-level sources. For example, \xe2\x80\x9clow level\xe2\x80\x9d unit tests are derived from\nthe conditions specified in the detailed design, while \xe2\x80\x9chigh level\xe2\x80\x9d unit tests are derived\nfrom UAT conditions from the system requirements or use cases.\n\nSuch multi-stage testing is referred to as \xe2\x80\x9cV-Model\xe2\x80\x9d testing, which is illustrated in\nFigure 1. The left side of the \xe2\x80\x9cV\xe2\x80\x9d indicates the source documents from which we derive\ntest cases. The right side of the \xe2\x80\x9cV\xe2\x80\x9d shows the stages of testing.\n\nFigure 1. V-Model\n\n\n\n\nSource: DOF Corporate Applications Testing Strategy, Version 2, March 15, 2004.\n\n\n\n\n                                                I - 21\n\x0c                                                                            APPENDIX C\n\nThe V-Model requires that each major deliverable is verified and validated in an attempt\nto identify problems as early as possible and ensure that specifications are complete and\ncorrect and adhere to relevant standards. Testing ensures that the specifications are\ncorrectly implemented and that the solution meets the business and performance\nrequirements or use cases.\n\nTest Stages\n\nA stage refers to major development process steps in a project\xe2\x80\x99s life cycle: planning\nstage, requirements definition stage, design stage, development stage, test stage, etc. Also\nthere are different stages of tests: unit test stage, system qualification test (SQT) stage,\netc.\n\nThe V-Model diagram shows how the test stages align with the development stages. The\ntest planning tasks are performed on the left side of the V-Model within the plan,\nrequirements definition, design, and development stages. The test execution tasks appear\non the right side and belong to the development (unit test); test (SQT, performance, and\nuser acceptance tests); and implementation (operational readiness test) stages. The early\ntest execution tasks focus on confirming the high-level and detailed designs, and later\ntasks focus on achieving overall functional and technical requirements. The test stages\nfor a project\xe2\x80\x99s life cycle are described below.\n\n\nUnit Test\nThe purpose of unit testing is to verify that the programming work units have correctly\nimplemented the detailed design specifications. Programming work units are the most\ngranular testable software components. Types of work units include windows, functions\nor algorithms, and simple batch programs. Every line of code should be exercised, every\nloop iterated, and all conditions tested at this stage. The scope of the test conditions\nencompasses logical branches, limits, etc. All work units developed by the development\nteams will be unit tested and where feasible, multiple, related work units will be tested\ntogether.\n\nAlthough a development team does not gather formal performance metrics at this stage, it\nis the team\xe2\x80\x99s responsibility to identify components that represent significant performance\nrisk.\n\nUnit testing is the responsibility of the DIT application development teams and is\nrequired for all new or modified code. Unit test planning and execution is the\nresponsibility of the programmer who coded the module to be tested and is performed in\nthe early part of the development stage when the detailed designs are finalized. The test\nexecution is performed by the developer/tester (in the development environment) in the\nlater part of the development stage after the application units are coded.\n\n\n\n\n                                            I - 22\n\x0c                                                                              APPENDIX C\n\nSystem Qualification Test\n\nThe purpose of SQT is to verify that each of the applications, developed or modified,\nfunctions as designed across all product business functions. SQT validates that the\nrequirements of each application have been met.\n\nUnlike unit testing in which test conditions are derived based on design specifications,\nSQT conditions are derived from business requirements and use case events that are\ninternal to a single application. The test team will initially use limited but realistic data,\ntesting basic functionality and gradually build complexity into the processes, testing more\nrealistic business scenarios with realistic data.\n\nSQT will be the responsibility of the respective DIT application test teams and is required\nfor all new or modified code. The DIT test team, including DOF resources, will execute\nthe test for each application in the separate environment so that SQT activities and code\ndo not interfere with other activities and code in the development environment.\nInterfaces to external systems may not be available at this stage of testing. However, if\nexternal systems (or stub equivalents) are available, the test teams will test those during\nSQT. Test teams, including DOF resources, perform SQT planning in the design stage\nwhen the designs are created. The DIT test team executes the SQT in the test stage after\nthe developers complete the unit test.\n\n\nSystem Integration Test\nThe purpose of SIT is to ensure that all business functions can be performed on an end-to-\nend basis across the business applications and platforms. SIT verifies that the\napplications interact correctly with each other and with their external interfaces.\n\nApplications are eligible for migration to the SIT environment upon meeting all the\ndefined exit criteria of the SQT and entry criteria of the SIT. The test conditions are an\nextension of the SQT conditions in that they will include full end-to-end business\nprocessing and verification.\n\nFor purposes of the NFE program, SIT is the responsibility of the respective application\ntest teams coordinating with a central NFE test team and is required for all new or\nmodified code that interfaces with an external system. Each application team (both DIT\nand DOF resources) will be responsible for testing its application and interfaces. SIT\nplanning is performed in the design stage when the high-level designs are created. The\ntest execution is performed in the test stage after successful completion of SQT. SIT will\nbe executed in a logically separate environment in the quality control and testing\nenvironment. It is imperative to separate the code and activities of the SQT, SIT and\nother test stages so that code from one environment does not interfere with code in\nanother environment or test stage.\n\n\n\n\n                                             I - 23\n\x0c                                                                             APPENDIX C\n\nCQMS Test\nThe purpose of the CQMS test is the validation of the required business functions by an\nimpartial, independent testing group prior to the UAT. This test group analyzes and\nassesses the application requirements and develops functional, standards, and\nperformance tests based on those requirements. The testing group executes and reports\non the tests and uses test results to determine the readiness of the application to proceed\nto the next phase.\n\nCQMS testing is the responsibility of the CQMS group and is executed in a separate\nenvironment. Throughout the CQMS test, there is an open communication line to the\napplication project to receive requirement updates, provide frequent feedback in problem\nreports, and collaborate on problem investigations. Application development and test\nteams are not responsible for the test execution but are required to provide functional and\ntechnical support throughout the testing.\n\n\nUser Acceptance Test\nThe purpose of UAT is to ensure that the users and stakeholders are satisfied with the\nsolution. Only after UAT is completed can the product be released. The UAT allows the\nend users to complete one final review of the system prior to its deployment.\n\nApplications are eligible for migration to the UAT environment upon meeting all the\ndefined exit criteria of the SIT and CQMS tests. The test conditions can be a subset of\nthe SIT conditions tailored for each representative user group.\n\nUAT is the responsibility of the respective DIT test teams with test planning and\nexecution resources provided by the DOF end user community. UAT planning is\nperformed in the requirements definition stage during which user requirements are\ndefined. The test execution is performed in the test stage after successful completion of\nSIT and CQMS tests. Test execution of UAT will take place in the QUAL environment.\n\n\nPerformance Test\nThe purpose of the performance test is to ensure that the system is capable of operating at\nthe load levels specified by the performance requirements and any agreed-upon service-\nlevel agreement. This test will be performed in the presence of any operations that could\naffect performance capabilities (as would occur in the production environment). These\noperations include batch interfaces, overnight batch runs, on-line interfaces, user\ninteractions, etc. The DIT test team will monitor system performance across all areas of\nthe application functionality (on-line response times, batch job schedules), servers,\ndatabases, networks, etc.\n\nApplications are eligible for migration to the performance test environment after\nsuccessful completion of the SQT or SIT. This test may not be required for existing\nlegacy systems that are being modified. The application project manager and DIT\n\n                                            I - 24\n\x0c                                                                            APPENDIX C\n\nrepresentative will make a determination based on the scope and extent of the\nmodifications. If the changes are significant enough to impact service levels, a\nperformance test will be required. Specific performance test environment requirements\nand assumptions will be documented in the Performance Test Approach document.\n\nPerformance testing is the responsibility of the DIT application teams with support from\nthe infrastructure group. Performance test planning is performed in the requirements\ndefinition stage during which the performance requirements are defined. The test\nexecution is performed in the test stage in a separate environment that is a replica of the\nproduction environment.\n\n\nOperational Readiness Test (ORT)\nThe purpose of ORT is to test the production environment\xe2\x80\x99s readiness to handle the new\nsystem or changes. ORT verifies that the correct functionality, architecture, and\nprocedures are defined and implemented to allow production support teams to run,\nmaintain, and support the system in production. ORT may also involve verifying that the\nsystem is correctly installed and configured in the production environment.\n\nApplications are eligible for migration to the ORT environment after successful\ncompletion of the UAT and performance tests. ORT may not be required for existing\nlegacy systems that are being modified. The application project manager and DIT\nrepresentative will make a determination based on the scope and extent of the\nmodifications. If the changes are significant enough to affect operational procedures,\nORT will be required.\n\nORT is the responsibility of the DIT application teams with support from the operations\nand maintenance groups. ORT test planning is performed and executed in the\nimplementation stage.\n\nTesting Activities\nThe application teams will execute the same steps for all stages of testing. The following\nactivities are common to all stages of testing:\n\n\xe2\x80\xa2   \xe2\x80\x9cDevelop test approach\xe2\x80\x9d provides the objectives, schedule, environment\n    requirements, and entry and exit criteria for the test stage.\n\xe2\x80\xa2   \xe2\x80\x9cPlan test\xe2\x80\x9d identifies test conditions and test cycles for the test stage.\n\xe2\x80\xa2   \xe2\x80\x9cPrepare test\xe2\x80\x9d defines input data and expected results, scripts the test cycles, defines\n    stubs and job streams, and prepares the cycle control calendar.\n\xe2\x80\xa2   \xe2\x80\x9cEstablish test environment\xe2\x80\x9d ensures that the environment is established and tested\n    before test execution.\n\xe2\x80\xa2   \xe2\x80\x9cExecute test\xe2\x80\x9d performs the scripts contained in the test model, compares the actual\n    results to the expected results, and identifies and resolves discrepancies.\n\n                                            I - 25\n\x0cAPPENDIX D: RISK ASSESSMENT APPROACH\n\nRisk Ratings\nPer CMMI and industry standard practices, software projects should establish a risk\nmanagement strategy that includes the categorization of identified risks in order to\ndevelop a mitigation strategy that reduces risks to levels acceptable to management.\nKPMG assessed the potential impact of risks identified in this review based on\nprofessional judgment and applicable risk management criteria defined for the NFE\nproject by the FDIC. The NFE project assesses risks based on probability of occurrence\nand impact as follows:\n\nProbability\nThe likelihood of risk occurrence is quantitatively or qualitatively rated on the following\nscale:\n       Probability                 Uncertainty Statement                  Evaluation of\n                                                                       Impact (see Impact)\n          > 80%                    Extreme, Almost certain                       5\n        61%-80%                          High, Likely                            4\n        41%-60%                            Medium                                3\n        21%-40%                               Low                                2\n         1%-20%                  Very Low, Highly unlikely                       1\n\nImpact\nImpact is an estimate of the overall scale of the impact following an occurrence of each\nrisk. Impact measures the severity of adverse affects, or the magnitude of a loss, if the\nrisk comes to pass and is rated on the following scale:\n        5 - Critical impact; threatens overall success of NFE on a long-term basis.\n        4 - High impact; significant disruption to successful delivery of NFE objectives,\nproducts, and benefits.\n        3 - Medium impact; significant disruption to NFE schedule, cost, and products\nover the medium term.\n        2 - Low impact; progress disrupted with moderate to low extensions to schedule\nand cost, across short term.\n        1 - Very low impact; slight exposure.\n\nThe two variables, impact and probability, are combined to assess the overall risk\ncategory as displayed in Figure 2.\n\n\n\n\n                                            I - 26\n\x0c                                                                               APPENDIX D\n\nFigure 2: Risk Assessment Matrix\n        Impact\n\n     5 \xe2\x80\x93 Critical\n     4 \xe2\x80\x93 High                                                          3\n\n     3 \xe2\x80\x93 Medium                                 2\n\n     2 \xe2\x80\x93 Low              1\n\n     1 \xe2\x80\x93 Very Low\n                     Very Low  Low     Medium    High    Extreme\n                     0 \xe2\x80\x93 20% 21 \xe2\x80\x93 40% 41 \xe2\x80\x93 60% 61 \xe2\x80\x93 80% 81 \xe2\x80\x93 100%\n                                           Probability\nSource: The FDIC New Financial Environment Risk Management Plan developed by Accenture.\n\nRisk categorization is based on factors where specific risks are likely to occur, including\nresource/cost, schedule, technical, operational, and external. Overall risks assigned by\nKPMG focused on issues impacting the FDIC\xe2\x80\x99s ability to achieve NFE objectives from\nboth a technical and operational nature. These factors, referred to as risk drivers, may\nimpact both Cost and Schedule risks.\n\nEach risk is described further below:\n\nTechnical\nTechnology-based risks consider the non-achievement of the application specifications\nand benefits expected. These risks include new and non-standard platform technology,\nintegration problems with existing systems, migration problems, performance\nexpectations not achieved, environment complexity and functionality, and system\noperability.\n\nOperational\nOperational-based risks focus on the peripheral organizational and business operational\nre-engineering changes arising from the NFE implementation effort. These risks consider\nboth the transitional and the long-term effects of the NFE\xe2\x80\x99s introduction, including the\norganizational and behavioral changes required, the human and physical resource\nplanning, and communication required to facilitate a smooth transition to the new\nstructure.\n\nExternal\nExternal-based risks consider the environmental factors largely outside of the control of\nthe NFE Project Management that can directly or indirectly affect the successful delivery\nof the NFE. Risks arising from legislative regulations, legal requirements, and the\nstrategic direction and priority conflicts of a controlling body are profiled under this\ncategory.\n\n\n\n                                              I - 27\n\x0c                                                                           APPENDIX D\n\nResource/Cost\nCost-based risks outline the non-achievement of the financial benefits of NFE. These\ncost risks include additional costs in changing or solving design, application program, or\noperational problems.\n\nSchedule\nSchedule-based risks focus on the non-achievement of the biggest system benefits within\nthe specified time frame. These schedule-based risks arise from extensions as a result of\nscope changes, resource unavailability, and additional schedule extensions for solving the\nrisks as discussed earlier in Resource/Cost.\n\n\n\n\n                                            I - 28\n\x0cAPPENDIX E: ACRONYMS\n\n  Acronyms   Definition\nCCB          Change Control Board\nCCR          Central Contractor Registry\nCMMI         Capability Maturity Model Integration\nCOTS         Commercial-off-the-shelf\nCQMS         Configuration and Quality Management Staff\nCTM          Control Totals Module\nDIT          Division of Information Technology\nDOA          Division of Administration\nDOF          Division of Finance\nDPS          Dividend Processing System\nDRR          Division of Resolutions and Receiverships\nETV          Electronic Travel Voucher\nFDIC         Federal Deposit Insurance Corporation\nFDL          FDIC\xe2\x80\x99s Digital Library\nFFMIA        Federal Financial Management Improvement Act\nGAO          Government Accountability Office\nJFMIP        Joint Financial Management Improvement Program\nNFE          New Financial Environment\nNIST         National Institute of Standards and Technology\nOERM         Office of Enterprise Risk Management\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nSIT          Systems Integration Testing\nSQT          Systems Qualifications Testing\nUAT          User Acceptance Testing\n\n\n\n\n                                   I - 29\n\x0c                Part II\n\nCorporation Comments and OIG Evaluation\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nThe report contains one recommendation directed to the Director, DOF, and to the NFE project\nmanagement team. The Director, DOF, provided a written response to the draft report on\nMay 18, 2005. Management\xe2\x80\x99s response is presented, in its entirety, beginning on page II-2.\nDOF management concurred with the recommendation. Based on management\xe2\x80\x99s response, the\nreport\xe2\x80\x99s recommendation is considered resolved, disposition, and closed. DOF\xe2\x80\x99s response to the\nreport recommendation is summarized below, along with our evaluation of the response.\n\nRecommendation: KPMG recommends that the Director, DOF, and the NFE project\nmanagement team review the risks identified and develop a risk resolution and action approach\nin accordance with the risk mitigation procedures outlined in the NFE risk management plan.\n\nDOF Response: DOF concurs with the recommendation to review the risks identified in the\ndraft of the report and to develop a risk resolution and action approach. As OIG findings and\nrecommendations were received, NFE project management reviewed and discussed the input in\nlight of overall project risks and other mitigating efforts. Using the Summary of Findings table\nin the draft of this report as a guide, NFE project management developed a risk assessment\nmatrix, submitted with DOF\xe2\x80\x99s response, to summarize management\xe2\x80\x99s conclusions of the\nidentified conditions. DOF also responded that the NFE control framework afforded a high\ndegree of confidence that a \xe2\x80\x9cgo live\xe2\x80\x9d decision was appropriate under the circumstances.\n\nOIG Evaluation of Response: The risk assessment matrix summarizes the risk resolution and\naction approach for the conditions discussed in the report. The action effectively implements our\nrecommendation. We consider the recommendation resolved, dispositioned, and closed.\n\nThe risk assessment matrix also includes updated Level of Risk information showing that the\nhigh and medium risks of reported conditions have been reduced since the completion of field\nwork on March 8, 2005. The risk levels could have been reduced through additional testing in\nresponse to our early notifications to the NFE management team regarding potential weaknesses\nand through additional planned tests to be conducted after audit field work. However, we did not\nperform additional work to validate the Level of Risk information.\n\n\n\n\n                                               II-1\n\x0cAppendix III\n\x0cII-3\n\x0cII-4\n\x0cII-5\n\x0cII-6\n\x0cII-7\n\x0cII-8\n\x0c                                                         MANAGEMENT RESPONSE TO RECOMMENDATION\n\n         This table presents the management response on the recommendation in our report and the status of the recommendation as of the date\n         of report issuance.\n\n\n                                                                                                                                                   Open\n                                                                      Expected           Monetary        Resolved:a      Dispositioned:             or\n                                                                                                                          b\n                      Corrective Action: Taken or                    Completion          Benefits        Yes or No          Yes or No             Closedc\n                              Planned/Status                            Date\n               As OIG findings and recommendations\n               were received, NFE project management\n               reviewed and discussed the input in light\n               of overall project risks and other                     Completed             N/A              Yes                Yes                Closed\nII - 9\n\n\n\n\n               mitigating efforts. DOF reviewed the\n               risks identified in the draft report and\n               developed a risk assessment matrix to\n               summarize management\xe2\x80\x99s conclusions of\n               the identified conditions.\n         a\n             Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                         (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                         (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                            management provides an amount.\n         b\n          Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\n         implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.\n         c\n             Once the OIG dispositions the recommendation, it can then be closed.\n\x0c'